CVE-2025-5101

MEDIUM

Gitlab < 18.1.5 - Code Injection

Title source: rule

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.

References (2)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/545165

[Permissions Required] https://hackerone.com/reports/3124199

Scores

CVSS v3 5.0

EPSS 0.0001

EPSS Percentile 2.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

Classification

CWE

CWE-94

Status published

Affected Products (4)

gitlab/gitlab < 18.1.5

gitlab/gitlab

Timeline

Published Aug 27, 2025

Tracked Since Feb 18, 2026